Anilrgowda

Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 12/28/2006 Date Added: 12/28/2006 Origin: N/A Length: N/A Type: Virus SubType: Parasitic DAT Required: 4928 Virus Family Statistics (over the past 30 days)

Virus Name Infected Files Scanned Files % Infected Computers HLLP 8 282,057 0.00 HLLP.10000a 3 8,770 0.00 HLLP.10217 0 0 0.00 HLLP.11652 0 0 0.00 HLLP.13040 0 0 0.00 HLLP.15392 0 0 0.00 HLLP.3327 3 8,770 0.00 HLLP.4629 0 0 0.00 HLLP.4665 0 0 0.00 HLLP.4676 0 0 0.00 HLLP.4720 0 0 0.00 HLLP.4745 0 0 0.00 HLLP.4745b 0 0 0.00 HLLP.4745c 5 282,057 0.00 HLLP.4999 0 0 0.00 HLLP.5000a 0 0 0.00 HLLP.5153 0 0 0.00 HLLP.5667 0 0 0.00 HLLP.5792 0 0 0.00 HLLP.5844 0 0 0.00 HLLP.5846a 0 0 0.00 HLLP.6253 0 0 0.00 HLLP.6279 0 0 0.00 HLLP.6425 0 0 0.00 HLLP.6549 0 0 0.00 HLLP.7128 0 0 0.00 HLLP.7296 3 8,770 0.00 HLLP.7408 26 565,675 0.00 HLLP.7720 0 0 0.00 HLLP.7792a 0 0 0.00 HLLP.7792b 0 0 0.00 HLLP.7929 0 0 0.00 HLLP.7940 0 0 0.00 HLLP.8192a 0 0 0.00 HLLP.8192b 0 0 0.00 HLLP.8192c 0 0 0.00 HLLP.8304a 0 0 0.00 HLLP.8688 0 0 0.00 HLLP.9312 0 0 0.00 HLLP.Ale 3 8,770 0.00 HLLP.GR1 11 282,057 0.00 HLLP.Nazi.4415 3 8,770 0.00 HLLP.Vova.a 0 0 0.00 HLLP.Vova.b 0 0 0.00 W32/HLLP 13 499,766 0.00 W32/HLLP.14336a 1 8 0.00 W32/HLLP.17408a 4 10,376 0.00 W32/HLLP.18432 0 0 0.00 W32/HLLP.49110 0 0 0.00 W32/HLLP.dr 5 35,024 0.00 W32/HLLP.Giwin 0 0 0.00 Virus Characteristics

W32/HLLP.Philis.dm is a file infecting virus.
On execution, it copies itself in %WinDir%\uninstall as rundl132.exe and adds a load registry entry to activate itself on reboot. It also creates the following registry entries:

• • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadMana ger
  • HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW\auto: "1"

It drops a file named RichDll.dll (detected as W32/HLLP.Philis.dll) in %WinDir%. It then injects this dll in Explorer.exe process. This dll is responsible for opening a backdoor and also downloading game password stealing trojans from the following location:

• • down.down988.cn/[REMOVED]

W32/HLLP.Philis.dm searches for executable files and prepends its 58 KB viral code to target files. The prepending virus code is written using Borland Delphi.
The virus tries to spread via existing network shares. It searches for all active machines within the subnet. When it finds an active machine it sends an ICMP ping request and waits for a response. This ping request packet contains "Hello, World" string. After getting the ping response it tries to access the ADMIN$, IPC$ and any other shares that might exist on the machine. If the virus is able to access a shared resource, it first copies "_desktop.ini" to the root of the share to mark the share as visited and then infects executables present in the share.
The virus terminates the following processes.

• • EGHOST.EXE
  • MAILMON.EXE
  • KAVPFW.EXE
  • IPARMOR.EXE
  • Ravmond.EXE
  • regsvc.exe
  • mcshield.exe

It also tries to stop the Kingsoft AntiVirus Service.


Indications of Infection

• Modified executable files (change in size of exe files)
• Presence of %WinDir%\RichDll.dll
• Presence of registry entries as described

Method of Infection

W32/HLLP.Philis.dm is a file infecting virus. Infection starts with manual execution of the binary. For spreading, the virus also relies on improperly configured/protected (open) shared drives.


Removal Instructions

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations

Aliases

PE_LOOKED.DY-O (Trend Micro), W32.Looked.P (Symantec), Worm.Win32.Viking.ea (Kaspersky)